Exploits Hot on the Heels of Microsoft's Patches

Advertisement (Why?)

Exploits appeared within hours for two of the bugs that Microsoft Corp. fixed Tuesday. Microsoft's June set of security updates patched 15 separate vulnerabilities, nine of them labeled "critical," the company's most serious threat rating. Exploit code for two of the bugs -- one in Internet Explorer (IE), the other in Windows XP, Windows 2000 and Windows Server 2003 -- have been posted to the Bugtraq and Full-disclosure mailing lists by researchers.

A. Micalizzi went public with a pair of exploits -- one successful against Windows 2000, the other against Windows XP -- that leverage one of the six IE bugs patched Tuesday. A bug -- actually two because both the ActiveListen and ActiveVoice ActiveX controls are flawed -- was tagged "critical" in IE6 on Windows 2000 and Windows XP SP2, and "critical" in IE7 on both XP SP2 and Windows Vista. ActiveListen and ActiveVoice provide speech processing and text-to-speech to the browser.

View: The full story

News source: PCWorld

(1 reply) #1 markjensen on 14 Jun 2007 - 11:33

Hmmm.. Sounds like what happened to Apple right after they released Safari for Windows.

#1.1 kheldorin on 14 Jun 2007 - 11:57

Quote - (markjensen said @ #1)

No, the guys looked at the bug that MS fixed and created an exploit based on that bug. By revealing what they fixed, MS gave them clues on where the bug lies. They want to take advantage of the window that exists when the patch is announced and when people apply those patches. That's why it is normal for the ThreatCon security status indicator to be set at "Level 2: Elevated," after the patches are revealed.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Neowin.net